Nigerian based online lending platform Soko loans has been hit with a N10 million fine by the National Information Technology Development Agency (NITDA). The fine is a result of the company's invasion of clients' privacy.
NITDA took this action (sanction) after receiving series of complaints against the company for unauthorized disclosures, failure to protect customers' data and defamation of character as well as carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR)."
What is going on?
Lending platforms like Sokoloan provide uncollateralized loans and requires a loanee to download its mobile application on their phone and activate a direct debit in the company's favour. I guess you like me, wonder how platforms like Sokoloan will deal with situations like failure to repay loans since borrowers do not provide any form of collateral.
The strategy sounds funny, but yes, there is one. This is by gaining access to contacts lists and sending messages. NITDA investigation is an attestation to the above claim. The regulators found out in its investigation that Socoloan embeds trackers in its mobile application. These trackers share customers' data with third parties.
So, "if a recipient defaults on their loan, the lender targets their acquaintances since they have illegal access to their contact lists. The platform sends messages to customers' contacts to report how the customer has scammed them; these people could be friends, work colleagues or even in-laws." TechCabal
NITDA investigation
NITDA revealed on its website that it had received a series of complaints against the company for unauthorized disclosures, failure to protect customers' data and defamation of character.
One of such complaints filed by Bloomgate Solicitors on behalf of its client, the data subject, was received on Monday, 11th November 2019. NITDA, as part of its due diligence process, commenced investigation over the alleged infractions of the provisions of the NDPR.
According to one of the complainants, when he failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, the company unilaterally sent privacy-invading messages to the complainant's contacts.
Investigation revealed that complainants' contacts who were neither parties to the loan transaction nor consented to the processing of their data had confirmed the receipt of such messages.
The Agency's investigation further revealed that the company embeds trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis.
What Next
Apart from the 10 million sanction, NITDA has also directed Soco Loan to do the following:
- No further privacy-invading messages are sent to any Nigerian until the company and its entities show full compliance with the NDPR;
- The company should pay for the conduct of a Data Protection Impact Assessment by a NITDA appointed DPCO on its operation; and
- Placement on a mandatory Information Technology and Data Protection oversight for nine months.
